Is OpenID Living Up to Our Expectations?

OpenID has promised to simplify the user authentication process across multiple websites, but some complain it has actually created more problems. 37signals, an early supporter of OpenID, has announced the decision to stop using it across its products. Is OpenID delivering what it promised?

OpenID is an identity system enabling users to authenticate themselves to compliant websites based on a single username/password. OpenID is backed by the OpenID Foundation, an organization founded in 2008 and sponsored by companies such as Facebook, Google, IBM, Microsoft, PayPal or Yahoo!, among others. OpenID has been considered the authentication solution that would free people from creating accounts and memorizing usernames/passwords for every website they log into.

Recently Yahoo! announced they would let Google and Facebook users to log into the Yahoo! website using OpenID. This is seen as a way of attracting people to use Yahoo! services, such as Flickr. But another company, 37signals, and early proponent and adopter of OpenID from 2007, has recently announced dropping support for the authentication framework starting with May 1st, 2011. They complain that OpenID did not make life easier for their users, and the service has been a burden from the start:

What we've learned over the past three years is that it didn't actually make anything any simpler for the vast majority of our customers. Instead it just made things harder. Especially when people were having problems with the often flaky OpenID providers and couldn't log into their account. OpenID has been a burden on support since the day it was launched.

According to the post, only 1% of 37signals’ users are using OpenID, and most of those were doing so because “that used to be the only way to get single sign-on for our applications.” The company invites their users to switch to using regular authentication, concluding about OpenID that the “cure was worse than the disease.”

Larry Drebes, a Janrain employee, has commented 37signals’ decision to dump OpenID. Janrain is an early adopter of OpenID and a major identity provider. He said he is the only employee in his company using OpenID when connecting to Basecamp, a collaborative product provided by 37signals. He says that 37signals’ main problem has to do with the user interface and the user experience:

The UI treatment sports the circa 2007 URL input field, and while this resonated with the early adopter crowd, it's a high bar for the mainstream crowd. We learned several years ago that branded buttons make it very obvious for users that they can use their Google, Yahoo, Facebook, or other account to login. The naked URL bar makes it nearly impossible to take a Google or Google apps OpenID. Just a side note, Google is the most popular provider (transactional basis) across the 300,000 sites currently using Janrain Engage for social login.

Offering just OpenID is no longer enough. In fact we prefer to focus on enabling users to login with a social identity they already have, and not highlight the protocols under the cover (OpenID, OAuth, or an API to a proprietary system). The user doesn't need to know it's OpenID (Google, Yahoo, AOL), or OAuth (Facebook, MySpace, Twitter), or proprietary (Microsoft, etc).

The OpenID login is hard to find on 37signals’ interface and once users find it, they are not able to create new accounts with an OpenID. Unfortunately this diminishes a significant portion of the value proposition.

Rob Conery, creator of project SubSonic and co-founder of Tekpub.com and a former proponent of OpenID, wrote a post entitled “Open ID Is A Nightmare”, describing in detail some of the problems he had with OpenID and why he decided to stop using it. One of the main problems was with flaky identity providers which do not provide the service when you need it. His conclusion was: “[OpenID is] a great solution to a long-standing problem and solves a lot of issues for developers. Unfortunately it creates a ton more for business owners.”

Answering a Quora question, What's wrong with OpenID? It hasn't taken over the world, Yishan Wong said “OpenID is the worst possible ‘solution’ I have ever seen in my entire life to a problem that most people don't really have.” One of the problems he mentions is the confusion OpenID creates:

Proponents [of OpenID] are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site. This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else?? Or in order to ease my inconvenience of having to type in my username and password, you are having me log in to another site instead?? …

At best, a re-directed third-party proxy login is used, which is the worst possible branding experience known on the web - discombobulating even for savvy internet users and utterly confusing for regular users. Even Facebook Connect suffers from this problem - people think "Wait, I want to log into X, not Facebook..." and needs to overcome it by making the brand and purpose of what that "Connect with Facebook" button ubiquitous in order to overcome the confusion.

Wong considers that OpenID cannot be fixed with some tweaks, and the entire system needs to be thrown away.

What is your experience with using OpenID? Has it delivered the authentication simplicity promised, or has it been a nightmare as some suggest?

Glad you like it. Your argument that we're "complainers" is very well thought out and compelling - however I might suggest that you give a read to the articles cited. As mentioned, I was a proponent - not anymore.

Finally - what you like is federated single sign-on with Google. Not Open ID. I like that too. I don't like Open ID. It's been mangled and held hostage.

You may bash OpenID as much as you please but I almost gave up on posting this comment when I realized I had to register first. I started laughing as the situation actually. Only the fact that I remembered I already had an account made me stay on the site and participate in the discussion. Maybe I should say "I like federated single sign on" or whatever, but I like what OpenID gives as nevertheless.Also, the website I'm developing at the moment supports OpenID. It was one of the first features I implemented. Registering over and over sucks harder than anything else on the web. Maybe OpenID is a solution with many flaws but it still solves the biggest issue.

I've been on the Yadis/OpenID mailing list at the very beginning. I've even implemented an early consumer library. But I gave the protocol up quickly after it became apparent the designers had neither competency in HTTP, nor usability, and actively fucked any potential privacy advantages of the scheme.

There's one important aspect of OpenID that needs to be pointed here. It was never intended as general login and authentication protocol. It's original purpose was to be a homepage URL verification service. The targeted user base were bloggers who did want to reliably identify each other. And that's not just semantic hair-splitting.

After its rise in adoption OpenID was reinterpreted and repurposed as login framework. But URLs (or URIs as the hipsters say) were at the very core of the protocol. Which makes it a big failure for use by the general population. A nice login UX with provider logos and just a login name cannot conceal this.There were many advocates for user@provider handles and other usability features from the start. But this was ignored until recently with OpenID3/WebFinger. But I guess it's way too late and cannot make up for the other issues either. Let's hope it fades away soon, because it's blocking the way for alternatives. (OAuth isn't. And even as Microsoft-basher, I have to admit they might have the better alternative with Passport/Cardspace.)

As a user, I have been tired with endless register form, ask me to type a unique userid, type password twice and ensure it's strong enough, and at last, a captcha makes me to waste lot time to retry, retype password again and again, WTF experience ! OpenID just makes it easier, I use myopenid which offer me a easy-to-remember url and I can just create my account with two or three steps .

As a developer, I would like to prefer openid as a high uniformed standard available by several providers instead of some vendor-specific solutions.

OpenId may not be the solution, but there IS a register problem
by
Bruno Vernay

I am also tired with endless register form, userId, Password, confirmation email ...There is a problem and a growing one as there are more and more site to register to.

I use OpenId and Google Account. It is not perfect but it saved me 2 or 3 registrations. I am implementing SAML/Shibboleth so I know SAML better than OpenID. They really thought about privacy and federation.

I don't care which solution is use as long as it works well and avoid me to register on all the sites I want to interact with.

Now, when I want to log onto sites where I have an account, when I enter jradix.blogspot.com/ as my openID, it is redirected to jeromeradix.com and the site now wants to create a new account !I have no way to tell the site that I want to associate this new openID to my old account.

The only way to do it is to change my blog back to jradix.blogspot.com, then log onto the site with my OpenID. If the site allows me to add new openIDs, I can switch my blog to jeromeradix.com (while I'm connected using jradix.blogspot.com) and then, on the site, add jeromeradix.com as a new OpenID.

So, when designing a site with OpenID, at least allow your users to have many openIDs associated to one account. Thanks !

This is not only a Blogger.com problem, it's a problem when you don't want to be locked to only one OpenID hosting service.

It's a problem that there are so many openid providers, it's also a problem that someone has no google account(?) or other account.but I like singing up with google account. If there are other openid providers for me to choose, I will confused.Maybe that is the site's problem, not openid's

Personally I am tired of having one account per site. I cannot manage to remember all the usernames and passwords. OpenId serves a real need, and the argumets here against it is from vendors point of view and weak. For example: - Proponents [of OpenID] are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site.

Every body has a Yahoo or gmail or Facebook account. so it is not really a problem. Plus if I choose a bad OppedId provider, it is my own problem

- What we've learned over the past three years is that it didn't actually make anything any simpler for the vast majority of our customers. Instead it just made things harder. Especially when people were having problems with the often flaky OpenID providers and couldn't log into their account. OpenID has been a burden on support since the day it was launched.

I didn't use basecamp heavily, but I loved the fact that I shouldn't remember yet another password for it! It seems that in this paragraph the main argument is the last one, maybe they shouldn't worry about supporting all that flaky providers.